1. Field of the Invention
This invention relates to the field of control networking, and in particular to the detection of a potential virus in a control script.
2. Description of Related Art
Conventional anti-virus programs look for particular patterns or blocks of code in suspect programs, such as any program downloaded from the Internet, received via an e-mail application, loaded from a removable disk, and so on. When a block is recognized that matches the “signature” of a known or hypothesized virus, the suspect program is determined to contain a virus. Depending upon the user preferences, the virus detecting program will either delete the block, delete the entire program, or provide the user with disposition options. Similar pattern matching techniques are used for detecting viruses in scripts, or macros, that are attached to data files.
Emulation programs are also used to detect potential viruses, as exemplified by U.S. Pat. No. 5,398,196, “METHOD AND APPARATUS FOR DETECTION OF COMPUTER VIRUSES”, issued 14 Mar. 1995 to David A. Chambers, which is incorporated by reference herein. In this referenced patent, the antivirus program maintains variables corresponding to the CPU registers and emulates procedures corresponding to the CPU instructions contained in the suspect program. A monitor program evaluates the result of each CPU instruction between each instruction set to detect aberrant or dangerous behavior, based on ‘intelligent’ rules and procedures, such as a procedure that detects the replication of code, or a procedure that detects a modification of program code, based on the observation that convention programs do not replicate themselves, nor do they modify program code. As discussed in the referenced patent, other virus detecting techniques include behavior monitors, checksum monitors, digital signature verification, and the like.
Home or office networking systems provide a unique opportunity for ill-intentioned programmers to wreak havoc. The HAVi architecture, the Home API initiative and UPnP, the Universal Serial Bus (USB), HomeRF Lite, and the Bluetooth standard, each involving substantial contributions from Philips Electronics, the Jini technology of Sun Microsystems, Inc., and others, have been developed to enhance the interoperability of multiple devices in a network. In a conventional home or office networking system, explicit or implicit links are created among devices on one or more networks, wherein the state of one device, such as a control device, effects an operation by another device, such as a home appliance. Increasingly, programs and techniques are being developed to effect a high degree of automated control, including, for example, activating devices based on user habits or preferences, and/or user commands or gestures, and so on. Typically, small office or home network users usually lack the technical skills and/or technical support, necessary for a thorough evaluation of third-party software.
Generally, networking is effected by providing a mapping function that links one device's state to another's. In the Home API system, an example mapping function is the “AddRoute” function:root.AddRoute (device1, stateA, device2, stateB).
This AddRoute function provides a control route between device1 and device2, such that, if device1 is in stateA, device2 is placed into stateB. An example AddRoute mapping may be:root.AddRoute (switch, “power-on”, light, “bright”).
This example AddRoute function effects a link between the switch device and the light device, such that when the switch is in the “power-on” state, the light is placed in the “bright” state. Each time a device changes state, it reports its new state to all the devices on the net. Devices that have been linked to the device whose state has changed then determine whether they need to change state to correspond to the reported changed state. In some systems, each device monitors the states of other devices and effects its required changes directly; in other systems, one or more controllers monitor the states of devices on the network, and effect the required changes via commands to the controlled devices.
In like manner, a UPnP network effects control by having devices advertise their services, and also provide the commands necessary to effect each service, including providing a “presentation” page for presentation to a potential user. In this manner, a user control point (UCP) can provide an interface for a user, or another application program, to control the device. UPnP enabled devices, UCPs and/or software applications may receive notifications about status changes in other devices and/or services using the subscription protocol defined by the UPnP architecture. The Microsoft WindowsME operating system allows users to enable the UPnP functionality and control networked devices via the “My Network Places” folder. Other network systems employ other schemes for describing the structure and functions of a control network, such as JavaScript, VB script, and the like. The eXtensible Mark-up Language (XML) is also often used to create control system definitions and to describe control system configurations. XML files may also contain script elements, written, for example, in JavaScript, VBscript, and others.
For convenience, the term “script” is used hereinafter to define one or more commands, instructions, data sets, and so on, that, when executed or processed, effect a control or monitor function with regard to one or more devices and/or services. Each control network architecture provides a method for defining the mapping among states of devices, as well as methods for effecting an intended control of a device and/or service. These methods allow the network control logic to be expressed via scripts, and are collectively referred to as scripting methods.
A virus program can easily provide a script that effects aberrant behavior, such as controlling a device that does not logically correspond to the state of another device, or controlling a device contrary to the logical correspondence to another device. For example, in a typical home control network, a music system may be programmed via a script to be turned off whenever a particular television system is turned on. A virus program may introduce a link that turns the music system on whenever the television system is turned on, or after an nth channel-change on the television, or whenever a garage door is opened, or whenever a telephone call is received, and so on. In like manner, aberrant behavior can be induced via a virus that introduces changes to the advertising, control, or other UPnP scripts associated with a device, or via changes to the URLs that provide the address of the appropriate scripts corresponding to the controlled device.
A virus-induced script, however, will not necessarily have a characteristic “signature” that can be detected via a pattern matching scheme, nor a characteristic “behavior” that can be detected by a convention emulation system. For example, a script that changes a channel of a networked television provides a useful function, when executed in accordance with a user's intent. The same script, executed randomly by a virus, will be disruptive, and may force a user to discontinue the use of the network until the problem is resolved. Critical to the operation of a conventional emulation system is the recognition of behavior that can be considered aberrant or dangerous, such as computer commands that effect wide-scale deletions of files, or the characteristic replication and program-modification effects of virus programs, discussed above.
In like manner, inappropriate scripts, such as scripts prepared for a different target system, or scripts that are incompatible with a user's existing system, can wreak havoc on the user's networking system. Relatively minor incompatibilities, such as the use of a device-name in the script that corresponds to a different device having the same device-name in the user's existing network, can have major consequences. Such scripts are difficult to detect as being problematic, because they may work properly on one particular system configuration, and improperly in another.